Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/784178/#msg_784178
I have tried many options and no one of them does not work.]]>Anton Kolmakov2012-01-27T06:42:52-00:00Re: Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/784267/#msg_784267
The Security Manager is a tricky area but still possible to enable.
You need to use the OSGi Security Manager, Equinox's in particular.

You need to add this property in your dmk.bat/sh file:-Declipse.security=osgi-Declipse.enableStateSaver=true

Now if you start Virgo you have enabled OSGi Security Manager. The problem is by default everyone get AllPermission.
You might want to take a look at these sections in the OSGi specs:

Security section of the OSGi core specification

ConditionalPermissionAdmin of the OSGi compendium specification

Long story short you need a bundle that will play as Security Agent of some sort. It will manage your permission sets. The nice thing about that is this can be dynamic management so it can be made to update your permissions on the fly as the server is running.

In the attached "Examples.zip" file I've included for you

a sample bundle that plays the role of Security Agent

a sample policy file that is read by the Security Agent in its Activator

a Java class that signs bundles, provided you have generated your own keystore

You need to include in your dmk.bar/sh also this:-Dosgi.policyFile=osgi-all.policy - this way the Security Agent will know which file to read for policies. Place the policy file in the root of your installation.

To activate the Security Agent bundle you need to put it in /plugins of your Virgo 3.5 installation then go to /configuration/config.ini and replace this line:

This ensures the Security Agent is the first bundle to start and every other bundle will have the defined permissions applied.

[OPTIONAL]If you are going down the signed bundles path. You need a couple more properties in the dmk.bat/sh.-Dosgi.framework.keystore=file:<absolute path to your keystore file>
-Dosgi.signedcontent.support="runtime"
If you will use just the location based permission definitions then you don't need these.

A few words on the policy file. It contains a number of examples that utilize both pure Java and OSGi Permission classes. All examples however use the Signer condition so if you want location-based permission distribution you need to check in the specification for the right syntax. In any case take a look at the syntax described in the specification here. Interesting is the DENY policy applied after a non-restrictive ALLOW to give you some sort of blacklist support.

Also keep in mind the following
- You can't use the plain Java security manager in default OSGi environment as it won't have any effect at all. This is so because bundle's loaders are not descendants of URLClassLoader and Java's security applies only to these.
- You may need to enable pure Java security working parallelly with OSGi's security because the web application that GeminiWeb/Tomcat runs use different loaders for their parts. For example servlets and scriptlets are loaded with Jasper's ClassLoader which is affected only by the pure Java security. But this is something that may not affect you so check first.

And last the examples I give you here are just examples and are not meant for productive usage!

I've tested the examples only on Virgo Nano, but the principle is the same in all other distributions and I expect this to be applicable without any changes.

IMHO Virgo can provide both the agent and a policy file as part of the server so if you have desire for that please raise an enhancement in our Bugzilla.
Also soon the Equinox launcher that we use may provide functionality to configure the Security Manager right at the server's startup thus configuring the server more securely at the earliest time possible. For more on this follow this bug.

it fails. And I do not know the reason. Any ideas?]]>Anton Kolmakov2012-01-31T14:11:22-00:00Re: Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/787417/#msg_787417
. I think you might have best luck to understand what's wrong if you debug that. The Conditional Permission Admin is implemented in the system bundle. I remember I had a hard time getting the signature approach to run fine too. Why don't you try with the location-based approach for starters.

As for the escaped commas. I think you may have a point here. It would be best to open a bug against Equinox to check if this indeed is a bug.
It would be most helpful if you attach an example that reproduces the problem you are observing in a plain Equinox.]]>Borislav Kapukaranov2012-01-31T15:02:20-00:00Re: Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/787421/#msg_787421

Actually looking at this specification text I think you may need to escape the comma with double backslash. Does that work?]]>Borislav Kapukaranov2012-01-31T15:06:17-00:00Re: Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/787524/#msg_787524
Quote:

Actually looking at this specification text I think you may need to escape the comma with double backslash. Does that work?

You are right, if I had a hardcoded name like:

String name = "cn=Bugs Bunny,o=ACME\\+\\+,c=US";

I should use a double backslash because Java's backslash is "\\". But in a text file I can simply write "\" and it will be read as "\\" in Java.

My example demonstrates the name in canonical form. I read permissions from the file.

I have tried approach you proposed with double backslash. And it does not work too.

Quote:

Why don't you try with the location-based approach for starters.

Of course, I can use it and I will probably use it. But I want to understand what Virgo supports and how it works.]]>Anton Kolmakov2012-01-31T17:18:20-00:00Re: Virgo &amp; SecurityManagerhttps://www.eclipse.org/forums/index.php/mv/msg/279813/788033/#msg_788033
Quote:

Also when I use BundleSignerCondition with argument "CN=*, OU=*, O=*, L=Ottawa, ST=*, C=*" to match org.eclipse.equinox.simpleconfigurator_1.0.300.v20110815-17 bundle...

I have found the reason of this problem, the pattern I was using is wrong. Because there is a DN chain the pattern should be "-; CN=*, OU=*, O=*, L=Ottawa, ST=*, C=*; -".]]>Anton Kolmakov2012-02-01T09:10:15-00:00